How Equifax Kept Its Mega Breach Secret From Its Own Staff

Equifax, the consumer credit reporting agency, was hacked in 2017, when data belonging to over 145 million Americans was stolen, including social security numbers, credit card numbers and addresses. (Photo by Jaap Arriens/NurPhoto via Getty Images)

Did Equifax keep the massive 2017 data breach hidden from some of its own staff? That's just one claim dropped by the SEC in its complaint against a former executive, international chief information officer Jun Ying, who's been accused of insider trading after he sold stock just before the massive hack affecting 147 million individuals was publicly disclosed.

A source close to the Equifax breach confirmed that some staff were not informed of the real name of the victim as the company tried to compartmentalize what was known in the buildup to the public release. But, the source said, it was standard practice and nothing resembling a cover-up.

According to the SEC's complaint, Equifax set up two separate operations — Project Sierra and Project Sparta - to deal with the breach. Project Sierra was the name given to the overall response to the attack, which led to the loss of social security numbers, credit card information and other personal data of customers. Those on the Sierra team were told to keep their work secret from anyone outside of Equifax's "crisis action team," the SEC said. The group's work involved changing administrator passwords and other remediation efforts, according to the regulator's account.

But it was Project Sparta, kept entirely separate from Sierra, that was required to be kept in the dark about the victim of the hack. On the one hand, the SEC said "they were tasked with setting up a website for consumers to determine whether they were affected by the breach, developing a suite of protective tools for consumers and staffing call centers." But they weren't told it was Equifax that was the real victim, according to the SEC, which wrote: "Those Equifax employees who were only part of Project Sparta were not told that Equifax had been breached, but were instead told that they were working for an unnamed client that had experienced a large data breach."

In an internal email, Ying was one of those told that Equifax was working on a "VERY large breach opportunity" that needed a ramp-up in resources and a quick turnaround in response, the regulator wrote. But Ying started to figure out that Equifax was the one breached, the SEC wrote, noting that a month after Equifax started investigating the hack, in late August 2017, he texted a colleague: "On the phone with [global CIO]. Sounds bad. We may be the one breached... Starting to put 2 and 2 together."

That same month, the SEC claimed Ying had searched for information regarding a breach at Equifax competitor Experian from 2015. "Within an hour of running the internet searches regarding the September 2015 cybersecurity breach of Experian, Ying accessed his company-sponsored stock plan account with UBS Financial Services, Inc., exercised all of his vested options to buy Equifax shares, and then immediately sold those Equifax shares for total proceeds of more than $950,000," the complaint read.

The SEC has claimed Ying's trading saved him more than $117,000 in losses, which he would've incurred if he hadn't sold until after the breach news became public and Equifax shares dropped. By basing his decision to sell on nonpublic information entrusted to him by Equifax, Ying's actions were "deceptive and fraudulent," the SEC wrote.

'Need-to-know basis'

A source close to Equifax confirmed to Forbes that employees working on Project Sparta were not informed of the true identity of the victim company, but said this was typical practice. For instance, when Equifax is working with a client on a data breach, those employees working on consumer tools and protective measures would not be informed of the customer's identity until it went public. Only those who needed to know were told Equifax was the affected party; this was also standard and not in any way a cover-up, the source said.

But there was one problem, cited by former SEC supervisory trial counsel David Axelrod, that such an approach caused: Anyone working in or alongside the Project Sparta team was not informed of the share trading blackout enforced on the Project Sierra workforce. Equifax couldn't tell employees (such as the accused) about the blackout without giving away its status as a victim, and finding the balance was a tricky question for the company, noted Axelrod, now a partner at law firm Ballard Spahr. "I think Equifax's heart was in the right place," he said. "It seemed like Equifax was trying to do the right thing, but probably the safer thing would've been to go broader [with the fact it was breached]."

Of the charges against Ying, Equifax's interim chief executive officer, Paulino Do Rego Barros Jr., said: "Upon learning about Mr. Ying's August sale of Equifax shares, we launched a review of his trading activity, concluded he violated our company's trading policies, separated him from the company and reported our findings to government authorities. We are fully cooperating with the DOJ and the SEC, and will continue to do so."

Ying's attorney could not be reached at the time of publication, but declined to comment to the Washington Post. He's also facing a federal charges from the Department of Justice after an investigation by the FBI.